diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js index 370cf8705..d92b3203c 100644 --- a/src/routes/oauth2.js +++ b/src/routes/oauth2.js @@ -457,7 +457,7 @@ var token = [ ]; // tests if all requestedScopes are attached to the request -function hasRequestedScopes(req, requestedScopes) { +function validateRequestedScopes(req, requestedScopes) { assert.strictEqual(typeof req, 'object'); assert(Array.isArray(requestedScopes)); @@ -494,7 +494,7 @@ function scope(requestedScope) { return [ passport.authenticate(['bearer'], { session: false }), function (req, res, next) { - var error = hasRequestedScopes(req, requestedScopes); + var error = validateRequestedScopes(req, requestedScopes); if (error) return next(new HttpError(401, error.message)); next(); @@ -526,7 +526,7 @@ exports = module.exports = { accountSetup: accountSetup, authorization: authorization, token: token, - hasRequestedScopes: hasRequestedScopes, + validateRequestedScopes: validateRequestedScopes, scope: scope, csrf: csrf }; diff --git a/src/routes/user.js b/src/routes/user.js index 4ef61fd1c..7ae49c3cf 100644 --- a/src/routes/user.js +++ b/src/routes/user.js @@ -17,6 +17,7 @@ var assert = require('assert'), groups = require('../groups.js'), HttpError = require('connect-lastmile').HttpError, HttpSuccess = require('connect-lastmile').HttpSuccess, + oauth2 = require('./oauth2.js'), user = require('../user.js'), tokendb = require('../tokendb.js'), UserError = user.UserError, @@ -135,8 +136,9 @@ function remove(req, res, next) { function verifyPassword(req, res, next) { assert.strictEqual(typeof req.body, 'object'); - // developers are allowed through without password - if (req.user.tokenType === tokendb.TYPE_DEV) return next(); + // using an 'sdk' token we skip password checks + var error = oauth2.validateRequestedScopes(req, ['sdk']); + if (!error) return next(); if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));